Anti-Rootkit Tools Roundup Revisited

I encourage you to return to it and re-read it. The principles still remain.

Rootkits are bad...and can still be found being deployed using holes in unpatched systems.

Rootkits work their magic by (basically) hooking into the most basic levels of the system kernel so that normal attempts to find them fail as they are hidden and/or pass false data off to the requests.

Identification requires specialized software tools that work around those tricks, or booting "off-disk" with an alternative boot system from the target disk and then examining it "from the outside looking in," statically.

Rootkits are slowly making their way back into the geek-news circles with notice of a new (old) Master Boot Record (MBR) rootkit that has been slowly evolving from concept to in the wild deployments.

Generally, as the Handler's Diary posts, Windows users who are fully patched with their Microsoft Updates should be safe. If you aren't patched, you need to be.

So it was in this backdrop that I decided to revisit my pile of portable anti-rootkit tools to see which ones needed to be updated, if any new ones had been made, and update the list I keep for reference.

Beware of "fake" tools - especially hard when they take on the GUI of a trusted tool. I encourage you to verify your sources. Fake RootkitBuster Busted! - TrendLabs Malware Blog

Note: All products, unless otherwise noted, are freeware.

My Portable USB Anti-Rootkit Tools

Through trial and error, these are the anti-rootkit tools I have found which seemingly will run successfully off a USB drive. Others may also exist, but these are the ones I rely on the most (in alphabetical order).

GMER - The tool that's got everyone in a fuss! Scans for hidden processes, services, files, registry keys, drivers, and hooks. Also allows some system function monitoring. Highly regarded by the antirootkit professionals. More screenshots (while the site is up).

Helios Lite - New product developed to be portable from the original Helios team.

IceSword - Developed in China but nicely translated into English. Busy interface but updated often. Has some advanced tools like the ability to "reboot and monitor" during the boot process. More information over on the Anti-rootkit blog description page.

McAfee Rootkit Detective Beta - "McAfee Rootkit Detective Beta is a program designed and developed by McAfee Avert Labs to proactively detect and clean rootkits that are running on the system." Nice interface.

Rootkit Revealer -From the Sysinternal's team. Easy to use, but does often turn up documented false-positives. Just identifies suspicious processes...you are on your own to delete them with other methods and applications. Better for system checking and monitoring, rather than protection and removal in-of-itself.

Rootkit Unhooker - Link to page on antirootkit.com for download and info. Interestingly, this team has now joined Microsoft. Maybe their talents will get folded into the Sysinternal's Rootkit Revealer product.

SEEM - Multi-purpose system reporting tool that has an interesting interface. Includes a rootkit scanner as part of it's features. Website (translated from French) has quite a bit of good information on rootkits and as they apply to their program. Download page (kinda hard to find in French). Get the English version unless you know French.

Sophos Anti-Rootkit- "Sophos Anti-Rootkit provides an extra layer of detection, by safely and reliably detecting and removing any rootkit that might already have secreted itself onto your system." Note: Registration required for download from the vendor's site (or just get it from Major Geeks directly). The utility itself is free.

Trend Micro RootkitBuster - Runs scans in five system areas and exports a nice log file. You can then opt to remove the detected items.

Anti-Rootkit Blog's Vista-Compatible Anti-Rootkit List

Anti-Rootkit Blog posted a list of seven rootkit scanners they found will work well on Vista systems. They have nice screen shots as well.

Helios - Behavior-based, not signature based detection. Interesting interface and approach. Worth looking at. Requires .NET framework to be installed. Developers offer videos as well of their tool in action.

HiddenFinder - trialware - Shows hidden processes and drivers on a system and then allows for killing of the desired process.

System Virginity Verifier - Tool developed by Joanna Rutkowska to validate system integrity by checking important Windows System components targeted by hidden malware. She also provides links to some related PowerPoint presentations.

2 comments:

Anonymous
said...

Wow. That is one of the most extensive list of Rootkit detection software i have seen. I have always had the question floating in the back of my mind about the software in the area of security detection/ removal of parasitic elements. The idea that some of this software may in fact be installing parasites of one form or another, or even a Rootkit. If a rootkit does get in, then then can you really detect it with some of this rootkit detection / removal software. Any chance you could blog about this, or offer reply. Thanks

1) Do the research into ALL anti-rootkit/anti-malware programs yourself. Don't just take what I or any one person says. Put the tool's name in Google and do some searches. If it is a good tool, cream rises to the top. If not, it will become pretty clear. I think the tools listed here are legit, but as I am not a programmer, I can't dive into the code to independently verify that fact. Also, I only download them from the source/developer directly.

2) While I a quite happy and willing to remove viruses/trojans/malware from a system and feel comfortable with walking away from it "cleaned", I don't take the same approach to rootkits.

When I find evidence of a rootkit I ALWAYS recover the user-data to a USB drive, secure-wipe the entire drive(s) for that system, re-partition/format the drive fresh, then reload the system from a good image/setup disk.

I don't doubt that some/many of the tools listed here can successfully rid a system of a rootkit. However, in my approach, these tools are for identification of rootkit/rootkit-like behaviour on a system. Then based on that I wipe/restore the system.

It isn't so much that they are any more "dangerous" than any other malicious threat on a system, it's just that they hide better and deeper...thus making it a bit harder to ensure your cleaned system doesn't remain compromised.

That's my 2-cents anyway....

Better to wipe/restore then to always have a nagging worry about it being "really" clean again.

Credits

Why this? It is the simple blog of a Last Exile fan and is intended to express the enjoyment we derive from studio Gonzo's production. Although we closely relate with those characters, we aren't them in real life. We just want to keep the memory of these incredible young kids alive. So go buy Gonzo's Last Exile DVD's!